4 March 2021

Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks


Cybersecurity firm Qualys appears to be the latest victim of Accellion FTA zero-day attacks

Cybersecurity firm Qualys appears to be the latest addition to the growing list of organizations that have suffered a data breach as a result of recent attacks that exploited zero-day vulnerabilities in the Accellion FTA file-sharing application with the goal of stealing sensitive data from victims.

The attacks that began in December last year affected multiple organizations across the globe, including the New Zealand Central Bank, Singtel, Kroger to name a few, exploited several vulnerabilities in Accellion’s FTA product in order to gain access to target networks and steal data, namely CVE-2021-27101 (SQL injection),CVE-2021-27102 (OS command execution), CVE-2021-27103 (SSRF), and CVE-2021-27104 (OS command execution). Using these flaws, the attackers were able to install a web shell named DEWMODE, which then was used to download files stored on victim's FTA servers. The stolen data was then published on the Clop ransomware gang’s leak site.

Now, the cybercriminals behind the Clop ransomware operation have posted screenshots of files allegedly stolen from Qualys on their leak site. The leaked files include purchase orders, invoices, tax documents, and scan reports.

In a blog post published on Wednesday Qualys has confirmed that attackers gained access to files hosted on the Accellion FTA server located on its network, but said that there was “no impact on the Qualys production environments, codebase or customer data hosted on the Qualys Cloud Platform.”

“Qualys and Accellion conducted a detailed investigation and identified unauthorized access to files hosted on the Accellion FTA server. Based on this investigation, we immediately notified the limited number of customers impacted by this unauthorized access. The investigation confirmed that the unauthorized access was limited to the FTA server and did not impact any services provided or access to customer data hosted by the Qualys Cloud Platform,” Qualys’ CISO Ben Carr said.

The company said it deployed the Accellion FTA server in a segregated DMZ environment, completely separate from systems that host and support Qualys products.

“We received an integrity alert on December 24, 2020 and the impacted FTA server was immediately isolated from the network. Accordingly, Qualys shut down the affected Accellion FTA servers and provided alternatives to customers for support-related file transfer,” Qualys added.

Back to the list

Latest Posts

Chinese hackers reportedly behind hundreds cyber attacks in Japan

Chinese hackers reportedly behind hundreds cyber attacks in Japan

The attacks targeted nearly 200 companies and organizations in Japan, including the country's space agency and defence firms.
20 April 2021
Lazarus APT has found a clever way to conceal its malicious code

Lazarus APT has found a clever way to conceal its malicious code

The hacker group is now using BMP images to drop its RAT.
20 April 2021
Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Reuters: Hundreds of customer networks breached in Codecov supply-chain attack

Hackers have used Bash Uploader to gain access to hundreds of networks belonging to the company’s customers.
20 April 2021